According to Facebook, this has never been allowed:
Please remember that developers have never been allowed to send user data received from Facebook to ad networks, and we take firm action against this. If you run code provided by an ad network in the operation of your application, be sure you understand what this code does.
Except of course for the part where it happened and they made money of it.
Jacking people’s personal content without their consent to use in ads has never been okay, says Facebook, but now the smack is being laid down, now that the rest of the internet has noticed one month after we posted about it.
A point of clarification: in a previous post about this, we said that there was a way within the settings to opt-out of the ads using your photos in Facebook. That’s just for official Facebook ads themselves, not for ads deployed by 3rd-party apps. Apologies.